When performing an LDAP authentication and using a group membership check, any LDAP client, like RoamServer, will fail to determine whether or not the user is a member of the group. This is not a bug in RoamServer or LDAP; it is as designed in Microsoft's Active Directory.

+

+

===== Details =====

+

When RoamServer is configured for LDAP authentication and using a group membership check, the search filter will usually look something like this:

+

Note: Assume a group called iPass in the Users container of a domain called corp.com

However, if the user's account attributes has the iPass group listed as the Primary Group, then RoamServer fails to determine that the user is in that group. In fact, ANY LDAP client, such LDP, any LDAP browser, and so on) will fail in the same way. An LDP query does not even show the user listed in that group. This is by design of Microsoft Active Directory (http://support.microsoft.com/?kbid=321360).

+

+

===== Solution =====

+

The solution is to query the user object for its PrimaryGroupID attribute value and determine the numeric value of that schema attribute. Whatever the value of that attribute is will remain static as per the AD schema, but may vary outside of the schema.

+

+

For example, the value of the PrimaryGroupID for a user primarily in the iPass group is 587. The workaround search filter would then be as follows:

This filter will check for a valid username (sAMAccountName=$USERID). Then, it will check for the user to EITHER be a member of the iPass group (which will catch users who are a member of that group but it is NOT their Primary Group), OR that the user's PrimaryGroupID matches the numerical value for the iPass group (for the users who are in that group and DO have it listed as their Primary Group.